Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8304
Views
4
Helpful
1
Comments

How-To Integrate Cognitive Threat Analysis (CTA) and Cisco ISE using STIX Technology

jeppich
Cisco Employee
Cisco Employee

on ‎03-16-2017 09:26 AM

This document is intended for Cisco Engineers and customers integrating CTA (Cognitive Threat Analytics) with Cisco Identity Services Engine (ISE 2.2) using Cisco Web Security Appliance (WSA).  Supported WSA Async images are: WSA8.5.1 GD, WSA 8.0.8, WSA 7.7.5 and 9.1.1-074 and supported WSA hardware: WSA-S100V, WSA S160, and WSA 5300V and Virtual WSA.  ISE requires an APEX license for the ability to subscribe to CTA cloud instance.

The readers should have some familiarity with ISE and WSA and it is assumed that all the licenses have been installed and the reader has accounts on the Cisco CTA cloud instance.

CTA leverages WSA telemetry to identify security breaches or identity infected devices leveraging web traffic behavior analysis, machine learning and anomaly detection. These incidents are then reported to ISE using MITRE’s Trusted Automated eXchange of Indicator Information (TAXII) as the transport protocol and reported incidents are in Structured Threat Information eXpression (STIX) language format and integrates with ISE via the Incident Response Feed (IRF) CTA adapter.

This provides visibility into the compromised endpoints in ISE.  The ISE admin can take Adaptive Network Control (ANC) mitigation actions to automatically quarantine these compromised endpoints by configuring ISE CTA Course of Action authorization policies limiting network access or assigned Security Group Tags (SGT) or manually quarantining the endpoint by assigning the compromised endpoint to an ISE ANC quarantine policy.

Preview file
9717 KB
Comments
taasai
Cisco Employee
Cisco Employee
‎10-04-2018 11:19 PM

I'm prospecting a customer who is interested in ANC on the ISE and the Stealthwatch. Stealthwatch now brings a CTA account and the customer is also considering TC-NAC to integrate with the CTA account. So let me ask some questions.
*Are the configuration task and the license requirements as same as the document about WSA/CTA you have attached here?
*What license should the customer purchase? You say "ISE requires an APEX license for the ability to subscribe to CTA cloud instance." My customer would use C1 bundled license(ISE Base and Plus) with the Catalyst 9K. In this condition, I assume they will have to purchase only an Apex license because the bundled license includes the Plus license which means they can are eligible to use ANC. They only need TC-NAC, they won't use MDM nor Posture.
*If the assumption above is right, how many Apex license shoud they purchase? Is the L-ISE-APX-[x]Y-S1 minimum for this scenario?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents